b'              OFFICE OF\n              INSPECTOR GENERAL\n\n                                                                                  August 13, 2013\nMemorandum\n\nTo:            Eric Eisenstein\n               Division Chief, Internal Control and Audit Follow-up\n               Office of Financial Manageme~t              \')             A\nFrom:         MichaelP.Colombo           ~-\'Jt-f IC/./\'Q\n              Western Regional M~or Audits, Inspections, and Evaluations\n\nSubject:      Verification Review ofRecommendations for the Evaluation Report, "Evaluation\n              of the Department of the Interior\'s Accountability of Desktop and Laptop\n              Computers and their Sensitive Data" (WR-EV-MOI-0006-2008, April2009)\n              Report No. WR-VS-MOA-0018-2013\n\n        The U.S. Department of the Interior (DOl) Office oflnspector General (OIG) has\ncompleted a verification review ofthe four recommendations presented in the subject evaluation\nreport. Our objective was to determine whether the Office of Acquisition and Property\nManagement (PAM) and the Office ofthe Chieflnformation Officer (OCIO) implemented the\nrecommendations as reported to the Office of Financial Management (PFM), Office of Policy,\nManagement and Budget. PFM reported to OIG when PAM and OCIO had addressed and\nprovided supporting documentation for the recommendations in the subject report. Based on our\nreview, we consider all four recommendations to be resolved and implemented.\n\nBackground\n\n       Our April2009 evaluation report, "Evaluation of the Department ofthe Interior\'s\nAccountability of Desktop and Laptop Computers and their Sensitive Data," contained four\nrecommendations pertaining to the accountability ofDOI computers and the potential loss or\nmisuse of sensitive information they may contain.\n\n       PAM and OCIO agreed with all four recommendations and provided its plan of action in\na memorandum dated July 7, 2009. Based on DOl\'s response, we considered the four\nrecommendations resolved but not implemented~ We deemed the actions identified in DOl\'s\nresponse to Recommendations 1 and 3 to be insufficient. PFM notified us that the\nrecommendations were closed as shown below:\n\n   \xe2\x80\xa2    Recommendation 1: July 19, 2010;\n   \xe2\x80\xa2    Recommendation 2: September 9, 2010;\n   \xe2\x80\xa2    Recommendation 3: August 25, 2011; and\n   \xe2\x80\xa2    Recommendation 4: January 17, 2012.\n\n\n\n\n                       Office of Audits, Inspections, and Evaluations I Sacramento, CA\n\x0cScope and Methodology\n\n       The scope of this review was limited to determining whether PAM and OCIO took action\nto implement our recommendations. To accomplish our objective, we reviewed the supporting\ndocumentation that PAM and OCIO provided and discussed actions taken relating to the\nrecommendations.\n\n       We did not perform any site visits or conduct fieldwork to determine whether PAM and\nOCIO had corrected the underlying deficiencies that we initially identified. As a result, this\nreview was not conducted in accordance with the Generally Accepted Government Auditing\nStandards issued by the Comptroller General of the United States or the Quality Standards for\nInspection and Evaluation of the Council of the Inspectors General on Integrity and Efficiency.\n\nResults of Review\n\n       We determined that all four recommendations have been resolved and implemented.\n\n       Recommendation 1: Establish a uniform DOl-wide, system-controlled chain of\n       custody property system for computers.\n\n        PAM established a policy requiring that DOl treat all computers as system-controlled\nproperty to be recorded and tracked in an official system for managing personal property. PAM\nalso provided information to demonstrate that it had established a centralized, DOl-wide\nproperty management system.\n\n       Based on the information that PAM provided and the documents we reviewed, we\nconclude that this recommendation has been resolved and implemented.\n\n       Recommendation 2: Incorporate information sanitization procedures in\n       conjunction with property disposal procedures.\n\n      PAM and OCIO issued a memorandum and published a chapter in the Departmental\nManual to provide guidance on the proper sanitation and disposal of computer equipment.\n\n      Based on the information that PAM and OCIO provided and the documents we reviewed,\nwe conclude that this recommendation has been resolved and implemented.\n\n       Recommendation 3: Require that the loss or theft of all computers be reported to\n       DOl\'s Computer Incident Response Center [DOI-CIRC].\n\n       PAM revised its policy to require that all incidents of loss, theft, or damage to desktop\nand laptop computers be reported to the DOI-CIRC. OCIO also included a statement in its\nmandatory training for Federal Information System Security Awareness and Privacy and Records\nManagement that all information security incidents, including the potential loss or theft of all\ncomputers, be reported to DOI-CIRC. In addition, DOl\'s "Interior Computer Security Incident\nResponse Handbook" establishes reporting requirements based on threat level assessments. The\n\n\n                                               2\n\x0chandbook further requires that lost or stolen laptops containing personally identifiable\ninformation be reported to DOI-CIRC within one hour of discovery.\n\n      Based on the information that PAM and OCIO provided and the documents we reviewed,\nwe conclude that this recommendation has been resolved and implemented.\n\n       Recommendation 4: Take immediate steps to encrypt all portable computers\n       throughout DOL\n\n        OCIO mandated that all bureaus and offices use cryptography to protect the\nconfidentiality and integrity of remote access sessions and authorized an enterprise data\nencryption solution. At the time OCIO requested closure of this recommendation, it reported that\nnearly 85 percent ofDOI laptops had been encrypted. At the time of our review, OCIO reported\nthat 89 percent ofDOI laptops had been encrypted. OCIO\'s goal is to encrypt all DOl laptops; it\nstated, however, that 100 percent compliance is not easily sustained in such a dynamic\nenvironment.\n\n        Based on the information OCIO provided, the documents we reviewed, and consideration\nof the fluidity of the situation, we conclude that this recommendation has been resolved and\nimplemented.\n\nConclusion\n\n       In an email dated July 26, 2013, we informed OCIO officials of the results of this review.\nOCIO officials agreed with the results of our review and declined our offer for an exit\nconference.\n\n       If you have any questions about this report, please contact me at 916-978-5653.\n\ncc: Debra E. Sonderman, Director, Office of Acquisition and Property Management\n    Bernard Mazer, Chieflnformation Officer, Office of the Chieflnformation Officer\n    Nancy Thomas, Liaison Officer, Office of Financial Management\n    Kathryn Bender, Liaison Officer, Office of Acquisition and Property Management\n    Michael Ashworth, Director, Independent Verification and Validation, Office ofthe Chief\n      Information Officer\n    Peter Brownell, Liaision Officer, Office ofthe Chief Information Officer\n\n\n\n\n                                                3\n\x0c'